| 38641 |
2021-11-18 13:53
|
 123_3k.exe 6d1eaa01bd0f3d10232bf630175b839b
RAT Generic Malware PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.2 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38642 |
2021-11-18 13:52
|
 1307_1637053872_8294.exe 5e435815f049849380d659c3acd2d586
RAT PWS .NET framework Generic Malware UPX PE File OS Processor Check PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
|
|
7.0 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38643 |
2021-11-18 13:52
|
http://msg-intl.qy.net/v5/ypt/... d41d8cd98f00b204e9800998ecf8427e
AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
2
http://msg-intl.qy.net/v5/ypt/dec
http://msg-intl.qy.net/favicon.ico
|
2
msg-intl.qy.net(159.138.102.146)
159.138.102.146
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
|
C0d3_22
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38644 |
2021-11-18 13:52
|
 bird.png b56472432fa955761c7b65e7dee8ef60
UPX PE File OS Processor Check PE32 RCE |
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38645 |
2021-11-18 13:51
|
 15_1637082780_2946.exe 9733aef1c8ec194a3198ab8e0130b7d4
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.0 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38646 |
2021-11-18 13:50
|
invoice_0003900000.wbk cfeee36c618563537127b7c9c2787c45
Loki RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
3
http://103.170.255.140/59993/vbc.exe
http://secure01-redirect.net/ga14/fre.php - rule_id: 7227
http://secure01-redirect.net/ga14/fre.php
|
3
secure01-redirect.net(193.109.78.71)
193.109.78.71
103.170.255.140
|
13
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://secure01-redirect.net/ga14/fre.php
|
4.4 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38647 |
2021-11-18 13:49
|
 4637_1637095941_5016.exe 8c96471e0c39a68c73fcd9cf571b9cdc
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38648 |
2021-11-18 13:47
|
balzak.html c8975f3bb4a94c035e7b3a4594c8dab0
Generic Malware UPX Antivirus AntiDebug AntiVM PE File OS Processor Check PE32 VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut RWX flags setting unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process Windows ComputerName DNS Cryptographic key |
2
http://198.252.108.121/images/bird.png
http://94.140.115.0/images/bird.png
|
2
94.140.115.0
198.252.108.121
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
11.8 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38649 |
2021-11-18 13:34
|
 PCHealthCheck.exe c5a267398167c6a47f81a89056761528
Gen2 Generic Malware Malicious Packer Admin Tool (Sysinternals etc ...) Malicious Library UPX PE64 PE File OS Processor Check PDB RCE |
|
|
|
|
0.4 |
|
|
C0d3_22
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38650 |
2021-11-18 13:16
|
http://chek.zennolab.com/proxy... b6dc5502b3a9e484f096210896f467f5
Create Service DGA Socket Steal credential DNS Internet API Hijack Network Code injection Sniff Audio HTTP KeyLogger FTP Escalate priviledges Downloader ScreenShot Http API P2P persistence AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
2
http://chek.zennolab.com/proxy.php
http://chek.zennolab.com/favicon.ico
|
2
chek.zennolab.com(37.1.223.41)
37.1.223.41
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
|
|
C0d3_22
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38651 |
2021-11-18 13:10
|
 7wmp0b4s.rsc b258374a8e32542b9eba337a3f82f5b1
AntiDebug AntiVM VirusTotal Email Client Info Stealer Malware suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.8 |
|
2 |
C0d3_22
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38652 |
2021-11-18 13:01
|
 t-rex.exe d8a71db524074bb8b29928c141a570f9
Malicious Library PE64 PE File VirusTotal Malware |
|
|
|
|
1.8 |
|
44 |
C0d3_22
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38653 |
2021-11-18 12:55
|
 octafx4setup.exe 568e1204996456984c05f12de9201168
Gen2 Formbook Generic Malware UPX Malicious Library PE File PE32 OS Processor Check VirusTotal Malware Check memory buffers extracted WMI unpack itself Check virtual network interfaces AppData folder AntiVM_Disk anti-virtualization VM Disk Size Check Tofsee ComputerName RCE DNS |
1
http://crt.usertrust.com/USERTrustECCAddTrustCA.crt
|
23
api9.mql5.net(147.75.92.40)
download.mql5.com(27.111.161.152)
crt.usertrust.com(91.199.212.52)
api14.mql5.net(0.0.0.0)
content.mql5.com(27.111.161.150)
91.199.212.52
47.91.24.164
27.111.161.152
195.201.80.82
142.215.208.235
117.20.41.198
103.26.205.122
27.111.161.150
102.68.85.100
147.75.92.40
88.212.232.132
177.154.156.125
78.140.180.43
47.74.84.54
156.38.206.21
156.38.206.18
147.75.48.214
147.139.41.121
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.6 |
|
1 |
C0d3_22
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38654 |
2021-11-18 10:43
|
 y76gkOkGrbYHjh.dll 722f898d814e4d04ed7c41bde6760eff
Emotet Malicious Library UPX PE File OS Processor Check PE32 DLL Dridex TrickBot Malware Report Checks debugger ICMP traffic unpack itself sandbox evasion Kovter ComputerName DNS |
|
20
195.154.146.35
177.72.80.14
45.79.33.48
168.197.250.14
54.38.242.185
191.252.103.16
51.210.242.234
207.148.81.119
51.178.61.60
66.42.57.149
78.46.73.125
196.44.98.190
142.4.219.173
195.77.239.39
185.148.169.10
78.47.204.80
37.59.209.141
85.214.67.203
37.44.244.177
54.37.228.122
|
6
ET CNC Feodo Tracker Reported CnC Server group 18
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 17
ET CNC Feodo Tracker Reported CnC Server group 5
ET CNC Feodo Tracker Reported CnC Server group 13
|
|
5.4 |
|
|
블루
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38655 |
2021-11-18 10:29
|
 f59ovCcsI09zqD8KZ0o.dll bd63c91ebde9fde16b3ce1b890074baa
PE File PE32 DLL VirusTotal Malware |
|
|
|
|
1.0 |
|
15 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|